PCT 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 ; 
G07F 7/08, 19/00 


Al 


(11) International Publication Number: WO 97/02547 
(43) International Publication Date: 23 January 1997 (23.01.97) 


(21) International Application Number: PCT/EP96/02997 

(22) International Filing Date: 5 July 1996 (05.07.96) 


(81) Designated States: AU, BG, BR, CA, CN. CZ, EE, FI, HU, 
IL, JP, KR, LT, LV, MX, NO, NZ, PL, RO, SG, TR, UA, 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, CH, DE, DK, ES, FI, FR, GB, 
GR, IE, IT, LU, MC, NL, PT, SE). 



(30) Priority Data: 

1000741 



6 July 1995 (06.07.95) 



NL 



(71) Applicant: KONINKLIJKE PTT NEDERLAND N.V. 

[NL/NL]; 7 Stationsplein, NL-9726 AE Groningen (NL). 

(72) Inventor: DE ROOIJ, Peter, Jacobus, Nicolaas; Wijnpersstraat 

30/13, B-3000 Leuven (BE), 



Published 

With international search report. 

Before the expiration of the time limit for amending the 
claims and to be republished in the event of the receipt of 
amendments. 



(54) Title: METHOD FOR TRACING PAYMENT DATA IN AN ANONYMOUS PAYMENT SYSTEM, AS WELL AS PAYMENT 
SYSTEM IN WHICH THE METHOD IS APPLIED 



(57) Abstract 

The invention relates to a method for tracing payment data in an 
anonymous payment system having electronic payment means, such 
as so-called "smart cards". According to the invention, the user (U) 
commits himself to a value (w; w") which may later be used for 
the tracing by a payment institution (B). The value (w) is preferably 
recorded with the help of a so-called one-way function (F) and an 
(electronic) signature (<r), so that the payment institution does not 
dispose of the value itself, but is able to verify it on the basis of the 
stored derivative (w") of the value. The invention further relates to a 
payment means and a payment system for application of the method. 
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Method for tracing payment data in an anonymous payment system, as 
well as payment system in which the method is applied. 

BACKGROUND OF THE INVENTION 

The invention relates to a method for tracing payment data in an 
anonymous payment system. More in particular, the invention relates 
to such method in the event that payment data have been lost due to 
5 damage of the payment means or premature interruption of a 
transaction. 

In electronic payment systems, problems may arise if a payment 
means, such as a payment card, is damaged or lost. Particularly in 
the event of payment systems with payment in advance ("prepaid payment 

10 systems"), the value stored in the payment means may then be lost. In 
order in such case not to put the user at a disadvantage, the payment 
transactions effected should be reconstructed or at least traced, in 
order as yet to have a fair settlement take place of the actually 
effected payments . 

15 Even if a (payment) transaction is prematurely broken off, 

payment data may be lost, with possible adverse consequences for the 
user of the payment means and/or for the receiver of the payment. In 
this case, payment data should also be traced, in order to prevent or 
undo possible harm. 

20 In the event of anonymous payment systems, i.e., payment systems 

in which the payments cannot afterwards be related to a certain user 
(payer) , the problem arises that reconstructing or tracing effected 
payment transaction in most cases is impossible. It is specifically 
the anonymous nature of such payment systems which impedes 

25 transactions being traced. The users of such systems can therefore be 
harmed by the loss of, or damage to, their payment means. 

Prior art documents, such as US Patents 5 018 196 and 4 993 068, 
or European Patent Applications 0 637 004 and 0 518 365, do not offer 
a solution to these problems. US Patent 5 018 196, for instance, 

30 deals with the exchange of digital signatures of contract documents 
through an information network. Preliminary digital signatures are 
exchanged between parties in order to provide evidence in case 
problems arise. The said Patent does not deal with the tracing of 
payment data in an anonymous payment system. 
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SUMMARY OF THE INVENTION 

It is an object of the invention to eliminate the above and 
other drawbacks of the prior art and to provide a method which makes 
it possible, in an anonymous payment system, to trace transactions 
and, if necessary, to reconstruct these transactions, with the 
anonymity of the user being protected as much as possible. 

It is a further object of the invention to provide a payment 
system in which the above-mentioned method is applied. 

For this purpose, the invention provides a method for tracing 
payment data in an anonymous payment system having electronic payment 
means and at least one payment institution designed for electronic 
payments, which method comprises: a first step in which the user 
issues a value characterising his payment data to the payment 
institution, which value is stored by the payment institution and, if 
tracing is desired, a second step in which the user releases the 
value, whereafter payment data are checked on the basis of the said 
value . 

The invention is based on the insight that, for tracing lost 
transactions, the anonymity of the payment system must be breached, at 
least in part. The invention is also based on the further insight 
that the anonymity be preferably breached only with the co-operation 
of the user. 

Breaching the. anonymity may take place by making available, to 
the payment institution, information which is used by the payment 
means to construct a recognisable part of the (future) payments. The 
payment institution may analogously reconstruct such recognisable 
parts of the payments afterwards. 

A preferred embodiment of the invention is based on the insight 
that it suffices for the user to commit himself to a value by issuing 
check information related to such value. In the first step, 
therefore, a check digit of the said value is advantageously recorded, 
instead of the value itself, with the user supplying the value itself 
only in the second step, or at least giving permission to use the 
value itself. 

Preferably, the said value is blocked in the first step in such 
a manner that the payment institution cannot apply the value without 
the co-operation of the user. As a result, the anonymity of the user 
is maintained. On the other hand, the user commits himself to the 
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said value by means of the check value, so that the value cannot be 
modified by the user, 

The value is advantageously blocked, in the first step, with the 
help of a one-way function. By means of a one-way function, it may be 
5 achieved that the value can be checked afterwards, while the value 

itself cannot be determined by the payment institution. This provides 
a further protection of the anonymity of the user. 

EXEMPLARY EMBODIMENTS 

10 The invention will be explained in greater detail below with 

reference to the Figures. 

FIG. 1 schematically shows an embodiment of the method according 
to the invention. 

FIG, 2 schematically shows an example of the application of the 

15 method according to the invention. 

The embodiment of the method according to the invention 
schematically shown in FIG. 1 comprises two steps. The first step, 
indicated by I, is preferably carried out regularly, i.e., at fixed 
points in time or after every n transactions (n 2 1), e.g., in the 

20 event of charging a (prepaid) payment means and/or in the event of any 
contact with the payment institution in question. The second step, 
indicated by II, is carried out only if payment data were lost and 
must be traced afterwards. 

In the first step (I), the user commits himself to a value w; in 

25 other words, the user makes a so-called "commitment" to the value w. 
The value w itself, e.g., is the value (status) of the random 
generator (RNG) of the payment means in question. The said committing 
may take place by subjecting the value w to a one-way function and the 
subsequent affixing of a signature to the result of the one-way 

30 function. The application of the one-way function (F) has the 

advantage that the payment institution (indicated by "Bank' 1 in FIG.l, 
but institutions other than banks can also be envisaged) cannot 
determine w from the resulting value w* (where w' - F(w) , F being the 
one-way function), so that the anonymity of the user is maintained. 

35 The payment institution is able to check w' , however, by also 
calculating w* from the value w provided later. This will be 
explained in greater detail below. 

It will be understood that a one-way function F known per se 
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from cryptography has the property that the reciprocal (F" 1 ) cannot, or 
cannot viably t be calculated. In other words, V - F(w) may be simply 
calculated from w, but it is not viable from w' to reconstruct the 
original value w - F'^w'). As a result, the one-way function provides 
5 a further protection of the user. 

Affixing a (digital) signature to w' has the advantage that it 
can be proven, by the payment institution, that a certain user has 
supplied the value w in question (or w' , w" ) . Affixing a signature 
to the value w' , resulting in the value w* 1 , is carried out with a 
10 function o, which may be a function known per se from cryptography. 
The value w* ' , where v' ' = o(w' ) - o(F(v)), is stored by the payment 
institution. 

In the second step (II), the user "opens" the value committed 
to. This "opening" takes place, e.g., by providing the value w to the 

15 payment institution, whereafter the payment institution can 

reconstruct w* as w' - F(w) and subsequently verify the signature w* ' 
on w 1 . The payment institution then verifies, on the basis of the 
values of w used in various transactions, which transactions have been 
carried out successfully. The opening may take place by informing the 

20 payment institution that a stored value w may be used. 

A further check may be obtained if the user repeatedly provides 
values w' ' (possibly: w*) to the payment institution, and the payment 
institution stores the i~th value (i 2 1) , whilst the i-1 preceding 
values are applied by the user only to verify the correct application 

25 of F and a. 

In fact, the method according to the invention comprises two 
submethods, corresponding to the said two steps: the first step 
comprises a method for protectedly storing reconstruction data, with 
the second step comprising a method for reconstructing payment data on 

30 the basis of reconstruction data. 

In FIG, 2, there is schematically, and by way of example, 
illustrated a further elaboration of the second step of the method 
according to the invention. 

In the first step, the payment means of the user has issued a 

35 value w* ' - c(F(w)) which is related to the status of the random 

generator of the payment means of the user in question. If payments 
(in general: transactions) are to be traced or reconstructed because, 
e.g., a payment means was lost or a transaction was prematurely 
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terminated, the user gives permission, in the second step, to use the 
value w stored at the payment institution ("Bank" in FIG. 2). In the 
case shown, this occurs by the user (or the payment means of the user, 
as the case may be) transferring the value w (stored for this purpose 
5 in the payment means) to the payment institution. As a result, the 
payment institution is able to verify the stored value w' 1 by 
calculating w' (W - F(w)) and checking the signature on w' . 

At the payment institution, there have e.g. been received the 
electronic cheques Chi, Ch2 and Ch5 , represented by (cl, bl) , (c2, b2) 

10 and (c5, b5) respectively. In this example, it is assumed that the 
cheque Ch3 was never issued and that the transaction with the cheque 
Ch4 was broken off (represented by X in FIG. 2) due to a technical 
failure. It should be noted that instead of cheques other types of 
electronic payments, e.g. electronic coins, may be used as well. 

15 The payment information consists, inter alia, of an 

identification ci (cl, c2 or c5), which is related to the status of 
the said random generator at the time of the "writing out" of the 
respective cheque, and an amount bi (bl, b2 , b5). On the basis of the 
value w t the successive values ci (i-1...5) are now generated anew by 

20 the payment institution. On the basis of the value ci, the cheques 
Chi, Ch2 and Ch5 may be traced, i.e., recognized as cheques of the 
user in question. Since the beneficiary of the payment communicates 
the amount to the payment agency, the amounts bl , b2 , b5 are known to 
the payment institution as well. 

25 This embodiment of the method may be applied for indemnifying 

the user in the event of loss or technical failure. On the basis of 
recognised (traced) payments, the difference between the sum of the 
paid amounts and the balance of the payment means at the moment of 
issuing the (derivative of the) value (w* ' ) may be repaid to the user. 

30 In the event that a payment is broken off prematurely, the 

method according to the invention may be applied to detect whether 
indeed a interrupted transaction was involved. If this was not the 
case, the payment may be traced. Here, the first step of the method 
may possibly be dispensed with; the user may immediately release the 

35 value. The payment means may possibly provide additional information 
on transactions gone wrong or broken off. 

A payment system in which the invention is applied comprises at 
least a payment institution (such as a bank, credit card company, or 
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possibly telecommunications company) , payment stations (such as cash 
registers of sales points designed for that purpose) and users having 
payment means (such as payment cards, "smart cards"). During a 
payment transaction, there is basically no direct connection required 
between a payment station and a payment institution. Such connection 
is advantageously set up only periodically, in order to settle 
transactions effected. 

On the basis of the tracing of transactions according to the 
invention, i.e., the verification whether the transactions in question 
have taken place, the transactions effected may possibly be 
reconstructed as well. The payment transactions discussed above may 
take place with so-called electronic cheques. 

It will be understood by those skilled in the art that the 
invention is not limited to the embodiments discussed above, and that 
15 many modifications and additions are possible without departing from 
the scope of the present invention. 
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CLAIMS 

1. Method for tracing payment data in an anonymous payment system 
having electronic payment means and at least one payment institution 
(B) designed for electronic payments, which method comprises: 

5 - a first step (I), wherein the user (U) issues a value (w) 

characterising his payment data to the payment institution, 
which value (w) is stored by the payment institution (B), 
and, if tracing is desired, 

a second step (II), wherein the user (U) releases the value (w) , 
10 whereafter payment data are checked on the basis of the said 

value (w) , 

2. Method according to claim 1, wherein the user blocks the said 
value (w) in the first step by issuing a derived value (W * ) instead 
of the said value (w) . 

15 3. Method according to claim 2, wherein the blocking is carried out 
with the help of a one-way function (F) operating on the value (w) . 
4. Method according to claim 2 or 3 , wherein the issuing of the 
value (w) in the first step (I) also comprises the making of a 
signature (a) . 

20 5. Method according to any of the preceding claims, wherein the 
second step (II) is carried out at the request of the payment 
institution (B) . 

6. Method according to any of the preceding claims, wherein the 
first step (I) takes place during the charging with money of the 

25 payment means. 

7. Method according to any of the preceding claims, wherein the 
first step (I) is carried out periodically. 

8. Method according to any of the preceding claims, wherein, if a 
transaction is broken off prematurely, the second step (II) is used 

30 for detecting successful transactions. 

9. Method according to claim 8, in which, for the execution of 
inter alia the second step, a special means is provided, such as a 
special card provided with an integrated circuit. 

10. Method according to any of the preceding claims, wherein lost 
35 financial means are repaid to the user, if necessary. 

11. Method according to any of the preceding claims, wherein the 
electronic payment means comprises a card provided with an integrated 
circuit. 
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12. Payment means provided with an integrated circuit, such as a so 
called smart card, designed for tracing payment data in an anonymous 
payment system by issuing a value (w; w' ' ) characterising the user ! s 
payment data to the payment institution (B) , which value is stored by 
the payment institution, and, if tracing is desired, releasing said 
value (w) , thus enabling a payment institution to check payment data 
on the basis of said value. 
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